Sunday, May 17, 2009

From a Human Factors approach - the new paradigm shift both in and out of the cloud is more user centric around Universal Clients for the desktops. The monolithic era of tightly coupled OS, Applications and Data can no longer survive and thrive in today's technology dependant world.

Let us not forget Vista and why although many of us have either worked with or for large organizations that wasted significant man hours and investment planning to migrate - the actual adoption of the platform was delayed and/or rolled back. Why? Many cite application compatibility, usability, and impact to business continuity. ALL are factors for ease of use. Perhaps if the definition is more around the 4 C's of universal clients (Client, Continuity, Compliance, Control) it may be less generic and more easily defined in terms of context, content, and user. Another big factor not mentioned in these threads but that is of grave concern is compliance to security, regulatory and business directives particularly when acts are being passed like in Massachusetts that call for encryption during transport etc for individuals within their state and other acts that indicate you must adhere to state laws - see attached.

The 4 C's defined (in or out of the cloud )- but can easily be applied here are

Control - Systems need to be locked down for IT, Easily managed, accessed for range Admins (SME-Enterprise),Encrypted, and Flexible for end users to still to their job.

We all know everything is relative and there are good points to be made in this thread - but let's not loose sight that no two clouds will be exactly alike or even usage - what is required for an external cloud in Healthcare around medical billing may be different for Imaging, etc based on the context in which the user is trying to perform their function and the criticality of their role. If someome makes a mistake or are delayed in getting someone's bill out that is a minor annoyance but the later could be life or death. Opera tickets are entertainment and although valid in the context in which presented - does not fully reflect the magnitude of how the cloud can help or significantly impact a business.

From: Miha Ahronovitz To: cloud-computing@googlegroups.comSent: Sunday, May 17, 2009 9:50:00 AMSubject: [ Cloud Computing ] Re: I still don't fully understand why "ease of use" is a criteria of cloud> I should put "cheap" into the cloud definition as well, because if it is expensive, then people will not use it.Cheap , like "ease of use" is in the eyes of the beholder. A ticket to the opera costing $100, is expensive if I am a penyless student.A gala of $ 1,000 is very cheap, if I have a net worth of $10M. My father said: "Expensive" it is not how much it costs, but how much money you have".If you want to make everything "cheap", just make more money.Both "the ease of use" and the "affordability" should be laser pointed to the users from your business plan.Everett point is a good point.MihaFrom: Raul Palacios To: cloud-computing@googlegroups.comSent: Sunday, May 17, 2009 12:43:34 AMSubject: [ Cloud Computing ] Re: I still don't fully understand why "ease of use" is a criteria of cloudI agreetipical MS mantraeasy ... is a word that should be used that often ....From: Ricky HoSent: Thursday, May 14, 2009 11:39 AMTo: cloud-computing@googlegroups.comSubject: [ Cloud Computing ] Re: I still don't fully understand why "ease of use" is a criteria of cloudBy applying your argument, I should put "cheap" into the cloud definition as well, because if it is expensive, then people will not use it.1) you are mixing "desirable characteristics" with "definitive criteria".2) there are other motivations that you have ignore. I may use something that is very difficult to use if it provides high value to me.3) "ease" is a subjective measurement. Something that is difficult to me may be very easy to you.Rgds,Ricky

Friday, May 15, 2009

Universal Clients – Have Lift Off In the EXTERNAL Cloud With InstallFreeThere are days that I think – I must be dreaming – but realize today – Universal Clients are a reality for InstallFree providers like GDS and their customers not just in the traditional sense but in the Cloud. This week was a productive week in Seattle with pivotal, explosive growth across many sectors. How one may ask – can someone take highly regulated applications and host them in an external cloud? InstallFree provides unique capability for 2 factor GRC that fits nicely with HIPAA. Unlike other physical and virtual packages – IF provides a unique set of capability that enables many ONLY features that address critical control GAPs – making compliance in the cloud – and therefore Universal Clients a reality today – not tomorrow. The unique approach does not require additional hardware, OS changes or hypervisors in the mix. Modularity & Security are all well thought through beyond any other desktop paradigm in the market. Yes I am biased as the VP of Business Development – but then again – that is why I am here – truly superior technology. The secret sauce is in dynamic binding down to the machine & user level. Now applications that once had to be repackaged multiple times with complex pre/post install scripts, targeting, overhead – can be reduced to a single package. Configurations can be restricted based on policy and bound at run time to make the most impossible case seem utterly simple. What’s the bid deal? After over a decade of working with the top Fortune 1000 companies in this space a product comes along that finally gets it right. For example – A doctor with a clinic, home office for on call, and affiliated hospitals – only needs a single app to comply with HIPAA. Because of this revolutionary approach – IT can set policies that restrict what the doctor can do on his Home PC to read only, on his clinic PC to full copy, paste, and print within the confines of the environment, and to the nurse’s station based on local resources to avoid fines for printing to the wrong printer. Without requiring additional technology to make it happen other than a read only view to Active Directory…Imagine – cutting the 3 applications used today down to 1. No extra pre/post install scripts, linking, sequencing or complex procedures just pure simple file copy. Simple enough that even the technophobe can leverage the easy to use IF Management Console without having to know how to script, link, sequence, etc… Easy as 1 2 3…This is just the tip of the iceberg – built in Digital Rights Management, Encryption (apps & data), 2 factor discovery for “truly virtual apps” that plugs into current reporting paradigms without risks or writing to the registry, and shell integration for seamless experience – WOW. Why care? EMR is just around the corner. New laws around privacy and encryption are under way with the Security Czar – the monolithic world, packaging, and interlocking principles will no longer suffice in the new age of Governance Risk and Compliance. Not to mention versatility without impact on application richness (due to poor server graphics processors and remote displays) or delivery mode – online, offline or in the cloud.

Wednesday, May 13, 2009

In the Clouds

Travelling from coast to coast in the “clouds” really started to think about knowledge workers in the context of clouds. Fat pipes, adoption of clean processes, etc have lead to pretty predictable user stories for “connected” users working within a cloud – but what about the road warrior (Doctor, Lawyer, Poll Climber, UPS Truck Driver, Sales rep, or CEO)? Managing always connected users is not a new feat – many solved it back in the day with mainframes and dumb terminals. Pulling the unmanaged PC into the mix of the managed PC is nirvana for many companies. How can you lock down a user while still providing enough flexibility to support them while they are “disconnected”.

Network access from a virtual CAFÉ or even datacard is not a guarantee that the user will have access to backend environments. Issues with VPNs, Authentication, Network Latecny and general access issues can rear their ugly head at the most opportune time (before the demo, big movie presentation, during an exam).There are many approaches that can be taken such as Hybrid application & desktop virtualization (such as InstallFree) that enables checking applications out. Some ideas to extend the deployment is to leverage virtual clients.

Saturday, May 2, 2009

From the thread - there is a lot of time and thought on specific projects that were going through that the "auditors" may not have informed those on the thread of all the pieces and some of the industry wide misperceptions from vendors that did not bother to take the time to educate themselves on the acts, NIST, etc have propagated. As a result- there are some misperceptions on compliance, how it can be hosted in the cloud, and the consequences.

The types of compliance and their requirements vary. The thread below is mixing HIPAA, SOX, etc. That is only applicable for public companies that deal with patient information (Insurance, Hospitals, Device Manufacturers). Different industries are impacted by different types of regulations (Financial services for example has Office of Thrift Supervision, SOX, Graham Leach Bliley, Basel I & II, PCI, etc) Healthcare also is overseen by the FDA because hospitals manufacture blood for example.

Outsourcers such as Perot, CSC, IBM, Accenture, Unisys, etc have had solutions around various verticals that are highly regulated after the legislation passed(Government, Financial Services, and Healthcare - HIPAA and SOX). SAS70 is the audit control for those smaller SMBs/SMEs that most hosted solution providers provide to audit and to the companies they serve to prove that data is encrypted, isolated and safe. This is a practice that has matured over the years and there are many good documented "How to Guides" - www.itpi.org - for Visible Ops series. I am copying one of the co-authors and a formidable expert in this area - in case he would like to comment.

Yes CXOs need visibility into their organization to comply with SOX - that is ONLY for public companies. For example, large private healthcares - do not have to worry about SOX. HIPAA is different as is PCI because they affect anyone in contact with personal information (health, financial). HIPAA and other Personal Health Information Acts in Europe, Japan (which are more stringent) addresses access to patient information (health, billing, etc). Depending on the PHI Act (such as Europe) some require that it be hosted in the country of origin, others are less stringent requiring that they be encrypted, access controlled, etc. The outsourcer will need to provide SAS70 findings from an independant audit body of which the CXO needs to review. The CXO will not go to jail but will more than likely move to a different MSP if the government finds material discrepancies. They have time to clean them up particularly if it is something that resulted based on process or technology issue versus blatant fraud as what happened in the Enron case that brought about SOX.

One suggestion would be to actually read the regulations you are speaking about - see attachment for SOX. It is not the regulations that require reform (many of them were generically written - not to a specific technology per se) but the prescriptive guideline controls such as COBIT (used by auditors to test the technical system) and frameworks like ITIL and ISO that do need to be adjusted. That is not up to the politicians but the government commissions from NIST in the US - similar agencies in other countries to define and enhance. New standards are forming and being added to ITIL (look at V3 that changed from V2 to add a DML - definitive media library over a DSL - definitive software library and more around federation) - why? Because the technology evolved and changed.

The biggest GAP here for the cloud is how newer technologies - like virtualization - impact those controls making it difficult to enforce some and others obsolete. It is important to understand the risks of these new technologies for GRC (governance, risk and compliance) and either find perscriptive work arounds or select technologies that were created post regulations (after 2004) so that compliance and how it evolved with NIST will have a greater chance to being baked in as part of the architecture and not an afterthought until it is an issue.

It is not visibility as is stated - else the large outsourcers that have made a successful business off of healthcare verticals - would not still be in business. More importantly most small doctor's office etc are less than 100 employees - they could not afford a big datacenter etc for compliance and need to look at alternative means like the cloud.

The key here is to join groups like W3C that are defining Common Information Model or others that influence NIST direction, ITIL or COBIT reform (the majority uses ITIL framework or ISO).

Have a great weekend.

Cheers,

Jeanne

From: Rao Dronamraju To: cloud-computing@googlegroups.comSent: Saturday, May 2, 2009 9:05:16 AMSubject: [ Cloud Computing ] Re: Clouds and Compliance“The problem here, I believe. is one of verification. If the CXO is 100% guaranteed and convinced that the ISP solution is compliant then he will have no problem outsourcing. Remember he has to believe his own IT people and their system being compliant. Can the ISP convince him that their system is "SAME" as the internal system? There lies the problem.”No, the problem in cloud scenario is, CONTROL and VISIBILITY….on his/her own premise, he has a LOT of CONTROL and VISIBILITY. He/She is directly responsible for the CONSEQUENCES of anything going wrong in terms of compliance. In cloud scenario, that responsibility has PARTIALLY shifted to the CSP. The CXO is still responsible for the content and authenticity of the financial information.

I am not sure why lawyers would be interested in fixing this?....The stake holders here are the companies, CSPs and the government….they are the ones who are most benefited by clouds.Ofcourse, the lawyers employed by them will work out the legal issues.

Would the govt. by itself look into this?....don’t know….

Your example of toy manufacturing and compliance is a good example to convince the CXOs that outsourcing compliance is in practice and working.

“NIH has research grants to come with solutions that allows for increased compliance. I hope if the solution is very difficult then HIPPA requirements may have to be changed. It will take time.”

Government can wait….they don’t run on making profits….for businesses TIME IS PROFITS….they cannot wait….they have to take the initiative and leadership and make things happen.

I feel that the lawyers will NEVER do it is too strong. It aint going to happen is stonger. I belive they didn't know that the problem exists. It may take time for them to recognize the problem and then come up with regulations to solve it. Law has always been behind the technology development. So how long it will take then i the question?Note exchanging health records electronically and compliance with HIPPA is a big problem. The present government is making progress to overcome that by trying to seamlessly move the records from Pentagon to Veterans Affairs. NIH has research grants to come with solutions that allows for increased compliance. I hope if the solution is very difficult then HIPPA requirements may have to be changed. It will take time."Today I know an ISP who has an excellent compliance solution and good market, is willing to try the SaaS model.

But when I did the analysis, I realized that unless the law is changed, CXOs are not going to come forward and place their compliance systems in a public cloud as long as they have the 100% of the compliance responsibility is with them….so this company just yet does not have the SaaS market….may be in 6 to 12 months…."The problem here, I believe. is one of verification. If the CXO is 100% guaranteed and convinced that the ISP solution is compliant then he will have no problem outsourcing. Remember he has to believe his own IT people and their system being compliant. Can the ISP convince him that their system is "SAME" as the internal system? There lies the problem.Let us take a simple problem. Toys sold in US have to be compliant with certain safety standards. Mattel outsources the manufacturing to China and takes the responsibility of compliance with US laws. (They did have problem with a particular toy recently and the product was recalled.) Also, I do understand, the requirements on toys safety are not as complex as the problem we are discussing.So the question is can we build software systems that are compliant with complex law and guarantee their behavior? We all have our own opinions and experiences with regards to software verification technology. It also has a long way to go.-satishOn Fri, May 1, 2009 at 11:52 PM, Rao Dronamraju <rao.dronamraju@sbcglobal.net> wrote:“Who wants to sign up and work with the lawyers so the regulations can be modified to the technical opportunities? Willing them to change isn't going to happen.”

Exactly…

Today I know an ISP who has an excellent compliance solution and good market, is willing to try the SaaS model.

But when I did the analysis, I realized that unless the law is changed, CXOs are not going to come forward and place their compliance systems in a public cloud as long as they have the 100% of the compliance responsibility is with them….so this company just yet does not have the SaaS market….may be in 6 to 12 months….

If someone knows of a case where a corporation has gone ahead and using a SaaS compliance solution in the public cloud please let me know….I am very interested in learning their business case including the legal case….

SatishWhats interesting about your comment on the lawyer community must change - reality that is not going to happen. Each region; geographic, national, or local has their own laws. I am referring to Germany laws are far more strict then that of Australia ; while Massachusetts privacy laws are far more strict about privacy then say Iowa . Who changes? Is Iowa going to adopt MA laws? or is Iowa going to create a local Safe Hard bridge to say Germany ? Sadly the reality is no. The question of Privacy remains and which privacy laws must I adher to? All of them? Some of them? Target markets? Amazon has a European Cloud but is that a stop gap or a reality of compromises between the clouds? Also securing your data (inflight or at rest) is not a governance/compliance get out of jail card. When companies say they are SAS-70 2; great but will that hold up in Uraguy courts (probably not). So what is the answer? Well right now each "Cloud" contract is being treated as an outsourcing contract. Will that scale? Time will tell but in the meantime if Cloud expands then being a contract lawyer is the place to be. But question I have for the vendors who are bridging mulitple cloud access methods via multiple IaaS providors. and providing a service. How will those contracts be structured? The question I have is - does it matter where your data is? The answer is yes but I had hopes that the Privacy Group meeting in Madrid - October 09; would create an attempt at general standards which in turn would allow for cross border clouds. Not sure the url is right now but if someone wants to find the conference url please do. From memory the agenda is scaled back and getting agreement on a global standards will have to wait for another year. Which means the governance question will remain for another year. Will the lack of Cloud Standards also remain as well?More and more I think about it. The regulators that we say must change are lawyers by trade. We are technical folks demanding change to open the true potential of cloud but are constricted by the ambiguity and fear of terms like "reasonable". Who wants to sign up and work with the lawyers so the regulations can be modified to the technical opportunities? Willing them to change isn't going to happen. BrianOn Fri, May 1, 2009 at 4:12 PM, satish rege <srege007@gmail.com> wrote:The main difficulty with compliance of a law, that you are so concerned about, is that the laws are made with knowledge of the previous technology and they may not be suitable for a new one that flourishes. In general the new technology cannot provide all the advantages if it has to meet the old law. Thus there is a chicken and egg problem which I feel the lawyer community has to solve. That is to make laws with technology change in mind. Perhaps the new administration, with its technology savviness, will try to look into this age old problem.-satish

On Fri, May 1, 2009 at 12:34 PM, dave corley <dcorley75@gmail.com> wrote:Sounds like an opportunity for a Storage Brokerage as a Service Provider and local storage product (NAS and SAN) vendors.Storage Brokerage as a Service Provider - host EMC Atmos or similar storage brokerage software. Brokerage maintains enterprise-specific storage policy and SLAs. Brokerage also specifies target repositories for stored information based upon metadata contained within file/information. If super-collossal-critical-SOX-compliance data is required to be produced for audit, policy adjusted for associated information classified through metadata as "compliancy-important" as follows:1. Primary backup to local store (premise NAS for small business, premise SAN for enterprise, mattress for consumer). Keep the family jewels and photos of the kids so 2. Secondary backup to storage repository SP "A".3. Tertiary backup to storage repository SP "B"4. Encrypt all data AES256 prior to all backups5. Establish policy/process, train your IT folks/VARs responsible for processes. If this data is so important, assign a "custodian" responsible for maintaining information metadata. Heck, most companies do this kind of item 'marking' for inventory control. 6. Data integrity monitor frequency - every X days7. Data loss reporting - within Y hours.Other less expensive/expansive policy applied to less critical information.Additional policies to allow storage arbitrage - if Wells Fargo's storage repository rates drop, substitute them as SP "A" and drop "Fred's MattressInTheCloud". Tiered/layered security/Defense in depth - not just a military concept. Disclaimer: I have never worked for EMC, SP "A", SP "B" or Fred's MattressInTheCloud.Dave

The fundamental problem is the Criminal Penalties associated with non-compliance although Civil Penalties are also equally troublesome.

For instance, Sarbanes Oxley says, the CXOs are responsible for the integrity of the financial information and also the integrity of the controls in place.

Not only they have to signoff on the integrity of both, external auditors have to attest to the authenticity and integrity.

So if and when enterprises plan to move to public clouds, there are some interesting situations one would run into.

If suppose there is non-compliance in the establishment, management and maintenance of the controls, who would be responsible?....

The CSP or the CXO of the enterprise?....

Similarly, if the integrity of the financial information is breached, who is responsible?....

Remember there are criminal penalties involved not just civil penalties?....

Can any of these be fixed with SLAs?....probably the civil penalties but definitely not criminal penalties. I do not think the law would allow a CSP to go to prison in place of a CXO.

May be some legal expert in the group can speak to it.

So the interesting problem here is, how would you distribute the compliance responsibilities and liabilities associated with non-compliance between the CXOs and the CSPs?....

The only way seems to be through legislation. Unless the legislature changes the law in such way that the penalties are levied on the parties RESPONSIBLE for the integrity of the controls and the financial information. If the controls fail CSP goes to jail, if the financial information is fudged the CXO goes to jail.

How likely is this to happen?.....

How soon cloud this happen?....We all know how fast the legislature moves…..

The adoption and migration of enterprises to pubic clouds could depend a lot on this.

Other alternative is, do not move the compliance systems to the clouds at all…..until the legislature catches up with the technology.

Friday, May 1, 2009

This week a fellow blogger on the Cloud posed some interesting questions around compliance this week that highlighted this area is not very well understood when it comes to the cloud and virtualization - across desktops, apps, and to some degree servers.

Compliance is an interesting element in it's own right with many twists and turns depending on the industry (healthcare, financial services, manufacturing, etc), type of company, what technology is in place, whether it is actually used in a way that adhere's to COBIT and for outsourcing the controls the outsourcer has placed and if they adhere to pass a SAS70 Audit.

Yes - SOX does say that the CXO will go to jail if they do not adhere to proper controls and conform to the standards identified by NIST to do so. Truth be told very few have actually gone to jail although several companies (527 in the first year according to IT Governance Institute) have had material discrepancies - their CXOs have not seen much in the way of jail time. The real teeth around SOX is having to post in a public place like the Wall Street Journal and the impact on the stock etc is a much bigger driver. Companies typically have time to clean up their act and fix the material discrepancy. The actual act itself is very ambigious and doesn't actually define all the components but leaves that up to NIST and COBIT (not to mention additional flexibility for auditors) to deem whether a company is in compliance. It is the system, manual or automated - that enables compliance not technology.

Having said that who has ownership, how do you determine compliance for the cloud? Many of the compliance factors whether SOX, HIPAA, PCI, GLB, etc have been factored into MSP and outsourcing models and are part of SAS70 audit controls - at least for physical systems. Else companies like Salesforce.com, Amazon, etc would have a difficult time maintaining their service given the sensitive data.

The real gap that needs to be thought of for the cloud is what newer technologies that enable the cloud - like virtualization do to traditional Controls used to maintain compliance and how the lack of understanding about those technologies - impact companies ability to deploy them fully. In my previous company - ITPI and I worked on research in this area across several different companies - interviewing CXOs to operations to really understand the GAPs.

ITPI is targetted to release the overall study - Kurt Milne copied here can provide more insight on the details. I must say it is a real eye opener and a significant area that quite a bit of work needs to be done. www.itpi.org

The real concern is around the standards such as COBIT, Common Information Model (CIM, Smash, Dash, etc ) are based off of the physical world and were created void of virtualization. DMTF is adding virtualization to CIM but there is still quite a bit to be done from a backend systems perspective around virtual apps, desktops, and servers to ensure maintaining compliance.

In some ways virtualization poses more risks to existing controls particularly around security and in other ways it makes possible new controls. The key is understanding what those risks are, the architecture - not all are created equal - ways to work around them, and what can be deployed versus what can not based on the application, oversight required, etc. Companies work around this today - so it is also possible in the Cloud.

They key here is while everyone is trying to define this new market - it is critical to understand the current physical paradigm, processes, controls and how we impact them before creating the solution. Clearly as with all new paradigms and markets - there is quite a bit for all of us to define, educate each other on and understand before jumping.

About Me

Jeanne is an independent expert on Cloud, Application Virtualization and Systems Management - working to bridge the gap between hype and reality for Enterprise. She brings over 15 years+++ of experience in Systems Management specializing in driving innovation in areas such as BSM, Discovery, Virtualization, Cloud Computing, Universal Clients and Compliance for BMC and VMware. For more information contact Ms. Morain at jmorain@yahoo.com.